Abstract

Data-driven methods, such as deep learning, are widely adopted to detect cyberattacks for Industrial control systems (ICSs). Due to the neglect of entity spatial relationships (ESR), however, there is a potential discrepancy between the learned device topology and the real physical process. Meanwhile, existing methods confuse sensor patterns, actuator rules, and some interference within spatiotemporal dependence, suffering from undetected attack issue. To achieve precise detection without using design knowledge, we propose a sensor-actuator separated anomaly detection method (SA2) that distinguishes sensor patterns and actuator rules, constructing prediction models for sensors (PM-SEN) and actuators (PM-ACT) separately. Moreover, we propose an ESR-based topology construction method for providing process-conformed topology and an attack span-based evaluation method for validating the undetected attack issue. The experimental results show that SA2 outperforms all baselines in the F1 score, effectively detecting all attacks (zero undetected rate), compared to an optimal baseline with an undetected rate of close to 50%.